First time here? Check out the FAQ!

Ask Your Question
0

wireshark 2.4.6 cannot decode ssl application data

asked Apr 17 '18

haoqingchuan gravatar image

updated Apr 17 '18

grahamb gravatar image

I added private key, and the private key works fun because it lookup the right keyID.

ssl_association_remove removing UDP 6443 - handle 0x141e987b0
KeyID[20]:
| 2d c8 af 7b 07 5a fa b9 25 69 a6 1b 86 11 52 eb |-..{.Z..%i....R.|
| e3 36 8d d5                                     |.6..            |

Calculating hash with offset 68 1181
lookup(KeyID)[20]:
| 2d c8 af 7b 07 5a fa b9 25 69 a6 1b 86 11 52 eb |-..{.Z..%i....R.|
| e3 36 8d d5                                     |.6..            |

But wireshark still cannot decode application data, here is the related debug info

dissect_ssl enter frame #587 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x148de6370, ssl_session = 0x148de6de0
  record: offset = 0, reported_length_remaining = 160
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 155, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 151 bytes, remaining 160
Calculating hash with offset 5 155
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #589 (first time)
packet_from_server: is from server - TRUE
  conversation = 0x148de6370, ssl_session = 0x148de6de0
  record: offset = 0, reported_length_remaining = 1669
ssl_try_set_version found version 0x0303 -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 58, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63
ssl_try_set_version found version 0x0303 -> state 0x11
Calculating hash with offset 5 58
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_set_cipher found CIPHER 0xC02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -> state 0x17
ssl_dissect_hnd_hello_ext_alpn: changing handle 0x0 to 0x141e98d30 (http2)ssl_load_keyfile dtls/ssl.keylog_file is not configured!
tls13_change_key TLS version 0x303 is not 1.3
tls13_change_key TLS version 0x303 is not 1.3
  record: offset = 63, reported_length_remaining = 1606
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 1181, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 68 length 1177 bytes, remaining 1249
Calculating hash with offset 68 1181
lookup(KeyID)[20]:
| 2d c8 af 7b 07 5a fa b9 25 69 a6 1b 86 11 52 eb |-..{.Z..%i....R.|
| e3 36 8d d5                                     |.6..            |
ssl_find_private_key_by_pubkey: lookup result: 0x7fb883e5e000
  record: offset = 1249, reported_length_remaining = 420
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 300, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 12 offset 1254 length 296 bytes, remaining 1554
Calculating hash with offset 1254 300
  record: offset = 1554, reported_length_remaining = 115
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 101, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 13 offset 1559 length 97 bytes, remaining 1660
Calculating hash with offset 1559 101
  record: offset = 1660, reported_length_remaining = 9
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 4, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 14 offset 1665 length 0 bytes, remaining 1669
Calculating hash wit ...
(more)
Preview: (hide)

1 Answer

Sort by » oldest newest most voted
0

answered Apr 20 '18

Lekensteyn gravatar image

updated Apr 20 '18

grahamb gravatar image

RSA private key files only work with the RSA key exchange method, but your session uses an ephemeral Diffie-Hellman key exchange (based on elliptic curves):

ssl_set_cipher found CIPHER 0xC02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -> state 0x17

For the background details, see my SharkFest '18 ASIA talk, SSL/TLS Decryption: uncovering secrets:

Preview: (hide)
link

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: Apr 17 '18

Seen: 805 times

Last updated: Apr 20 '18